TASK: add docs for access.ui

Security-Overview.md

@@ -41,9 +41,15 @@ Besides gRPC mentioned above, volume servers can only be changed by file upload,
 ## JWT-based access control
 To enable JWT-based access control,
 1. generate `security.toml` file by `weed scaffold -config=security`
-1. set `jwt.signing.key` to a secrete string
+1. set `jwt.signing.key` to a secret string
 1. copy the same `security.toml` file to the masters and all volume servers.
 
+> **Re-enabling Volume UI**
+>
+> By default, if the `jwt.signing.key` is set, the web UI on the volume servers is disabled. You can re-enable the web UI by
+> setting `access.ui=true` in `security.toml`. Despite some information leakage (as the UI is unauthenticted), this should not
+> pose a security risk, as the UI is purely read-only.
+
 ## How JWT-based access control works
 * To upload a new file, when requesting a new fileId via `http://<master>:<port>/dir/assign`, the master will use the `jwt.signing.key` to generate and sign a JWT, and set it to response header `Authorization`. The JWT is valid for 10 seconds.
 * To update or delete a file by fileId, the JWT can be read from the response header `Authorization` of  `http://<master>:<port>/dir/lookup?fileId=xxxxx`.